The Online Privacy Debate in the Wired World

The Online Privacy Debate in the Wired World

To understand the industry and public debates about online privacy, it is essential to understand the opt-in versus opt-out debate. This debate has just a few technical implications at present, but properly understanding privacy from the business perspective is important. Privacy is an essential feature of any product or service and a core business objective. The burden of proving the active presence of privacy to the consumer is required for a successful product. Understanding the legal issues (at the very least, at a high level) is necessary for ensuring that your product meets federal requirements and does not violate consumer rights. At the heart of the current online privacy debate is the tug-of-war between those in favor of opt-in policies and those in favor of opt-out policies.

Although telecommunications carriers are prohibited from revealing certain information, except to law enforcement authorities upon proper request, they are permitted to sell certain personal information with consumers' consent. The types of information that fall into each category are being hotly debated. These debates will likely continue for the foreseeable future. Just how to obtain consumer consent is the heart of privacy arguments. Should users have to opt out of having their information shared and sold, or should companies require them to opt in?

Opt-out policies are the most prevalent form of privacy policies in most industries today. Numerous studies have shown that opt-out notices fail miserably at the task of protecting consumer privacy. The data in question here is customer proprietary network information (CPNI) or consumer-identifying information. Opt-out notices are typically vague, incoherent, and intentionally hidden in verbose agreements. Under the Gramm-Leach-Bliley Act, we have seen that opt-out schemes do not successfully protect CPNI or consumer-identifying information. If users do not actively opt out, businesses share personal information, including addresses, phone numbers, e-mail addresses, purchasing patterns, and even more confidential information, such as social security numbers. Companies profit from users' failure to read fine-print legalese that comes in an envelope full of junk mail.

The Gramm-Leach-Bliley Act requires certain financial and insurance institutions to send notice of an opportunity to opt out before disclosing personally identifiable information. The law is written so that these institutions compose the notices in a readable manner, yet most consumers would be shocked at the failure rate of this requirement. The opt-out policy suggested in the Gramm-Leach-Bliley Act is so poorly constructed and ineffective that the Federal Trade Commission is investigating the matter in a formal workshop.

The wireless carrier industry does not advocate these opt-out policies. It recognizes the burden placed on consumers by privacy violations and does not want its medium, wireless communication, associated with something so annoying. The wireless industry, in general, supports legislation that provides for opt-in policies that are more protective of consumer privacy.

Opt-in policies are gaining ground in the online arena. These policies are designed to facilitate greater consumer control over personal information. The opt-in policies are much more difficult for companies to abuse than opt-out policies. Effective privacy policies should offer a range of choices. When planned correctly, opt-in policies can be better sources of direct marketing than opt-out policies. The consumers who actively request marketing, for instance, are genuinely interested, and companies can save money by targeting only interested parties with mailings. Congress has mandated that the Federal Communications Commission (FCC) implement procedures that protect consumer privacy when using cellular phones and other wireless devices.

Online privacy discussions cover issues besides opt-in versus opt-out privacy policies. Spam and government or private surveillance also come into play. Unwanted messages, spam, are a pervasive problem in the wired world. Automated technologies send e-mails to hundreds of thousands of unwanted recipients daily. Spam is taxing on servers, annoying to consumers, and an abuse of an intended system. To thwart spam, privacy advocates continually battle with Internet service providers (ISPs), e-mail providers, and Internet application providers, with only moderate success. Spam is a privacy concern in that it is unsolicited. Some e-mail clients, ISPs, or corporate servers prevent spam at various levels, but it is largely unavoidable. Every time an e-mail address is used in registering for a Web site or mailing list or is published anywhere on the Internet, it can be picked up and bombarded with unwanted or offensive e-mails.

Government and private surveillance of users' Web surfing habits is a subject of much debate as well. Consumers should not assume that their Web surfing is private, but few of them know the extent to which this data is warehoused and can be used to learn about them. Direct marketing associations learn a lot about which marketing to push to a user by investigating data about where the user spends his time on the Internet.

In addition to tracking Web surfing habits, ISPs store e-mails in repositories for many reasons. In some cases, the storage is for strictly legitimate purposes. If subpoenaed, ISPs are required to produce e-mails sent to or from a given user. The government allegedly views only the name of the sender and recipient and perhaps the date and time the e-mail was sent but not the internal content in its system, called DCS1000.

DCS1000 is an FBI technology that aids in gathering information to solve crimes. It is a packed-based communications interception system. DCS1000 comes under heavy criticism because it is not publicly available and because whether it tracks e-mails only after a warrant has been obtained cannot be proved. Many view this technology as an invasion of user privacy. It is a point of contention among all players in the online world. Several privacy groups have already expressed concern that Carnivore may be used in a pervasive fashion to intercept wireless e-mail. These groups believe that industry companies will not be able to provide the proper privacy safeguards with Carnivore technology in place. The FBI asserts repeatedly that it will not use Carnivore to monitor the content of e-mails.